Issues with Suricata Working as IDPS


I am encountering challenges with Suricata and would greatly appreciate any assistance or tips. I have configured UFW to forward traffic to Suricata for processing based on Suricata rules, intending to use Suricata as an IDPS.

Here’s a brief overview of my setup:

System: Raspberry Pi, Raspberry Pi OS running Suricata version 6.0.10

Suricata Configuration:
    Using nfq mode with mode: accept option in suricata.yaml
    Relevant rules in /etc/ufw/before.rules to forward packets to Suricata:

-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass

Local Rules (local.rules):

drop icmp any any -> any any (msg: "DROP ICMP REQUEST"; sid:1234; rev:1;)
drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:9999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)


ICMP Traffic:
    The drop ICMP rule triggers an alert in eve.json, but the action is shown as "allowed" instead of "blocked" but when I use reject on the rule, It shows as "blocked". Does that mean the 'drop' action doesnt work or something? The ping request results in "request timed out". When this rule is commented out, the same "request timed out" response occurs.
HTTP Traffic:
    The IP rule does not trigger any alert, and I am experiencing a timeout response.
    Test: curl
    Response: curl: (6) Could not resolve host:

Despite these configurations, I’m unable to get Suricata to function as expected. ICMP requests are not being blocked correctly, and HTTP traffic seems to be blocked by something other than Suricata.


Suricata logs do not indicate any issues related to these rules.
Tcpdump confirms that ICMP packets are reaching the Raspberry Pi.

Could anyone provide guidance on additional troubleshooting steps or point out any potential misconfigurations?

Thank you